b'Report No. DODIG-2012-126        September 10, 2012\n\n\n\n\n          Quality Control Review of the\n          Defense Commissary Agency\n            Internal Audit Function\n\x0cAdditional Information and Copies\nThe Department of Defense, Office of the Assistant Inspector General for Audit Policy\nand Oversight, prepared this report. To obtain additional copies of the final report, visit\nwww.dodig.mil/audit/reports or contact the Office of the Assistant Inspector General for\nAudit Policy and Oversight at (703) 604-8760 or fax (571) 372-7454.\n\nSuggestions for Reviews\nTo suggest or request reviews, contact the Office of the Assistant Inspector General for\nAudit Policy and Oversight by phone (703) 604-8760 (DSN 664-8760), by fax\n(571) 372-7454, or by mail:\n\n                       Department of Defense, Office of Inspector General\n                       OAIG-Audit Policy and Oversight\n                       Attn: APO, Suite 11D28\n                       4800 Mark Center Drive\n                       Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\nDeCA                   Defense Commissary Agency\nDeCAM                  Defense Commissary Agency Manual\nGAGAS                  Generally Accepted Government Auditing Standards\n\x0c                                 INSPECTOR GENERAL\n                                  DEPARTMENT OF DEFENSE\n                                  4800 MARK CENTER DRIVE\n                               ALEXANDRIA, VIRGINIA 22350-1500\n\n\n\n\n                                                                        September 10, 2012\n\nMEMORANDUM FOR DIRECTOR, DEFENSE COMMISSARY AGENCY\n\nSUBJECT: Quality Control Review of the Defense Commissary Agency Internal Audit\n         Function (Report No. DODIG-2012-126)\n\nWe are providing this report for your information and use. We have reviewed the\nDefense Commissary Agency (DeCA) Office of Internal Audit system of quality control\nin effect for the period ended July 31, 2011. A system of quality control for DeCA\xe2\x80\x99s\naudit organization encompasses the audit organization\xe2\x80\x99s leadership, emphasis on\nperforming high quality work, and policies and procedures established to provide\nreasonable assurance of compliance with generally accepted government auditing\nstandards (GAGAS). The DeCA Office of Internal Audit is responsible for designing a\nsystem of quality control and complying with its system to provide DeCA management\nwith reasonable assurance that its audits are performed and reported on in accordance\nwith GAGAS in all material respects.\n\nOur review was conducted in accordance with GAGAS and guidelines established by the\nCouncil of the Inspectors General on Integrity and Efficiency. We tested the DeCA\xe2\x80\x99s\nOffice of Internal Audit organization\xe2\x80\x99s system of quality control to the extent we\nconsidered appropriate. GAGAS require that an audit organization performing audits or\nattestation engagements, or both, in accordance with GAGAS have an appropriate\ninternal quality control system in place and undergo an external quality control review at\nleast once every 3 years by reviewers independent of the audit organization being\nreviewed. An audit organization\xe2\x80\x99s quality control policies and procedures should be\nappropriately comprehensive and suitably designed to provide reasonable assurance that\nthey meet GAGAS requirements for quality control.\n\nFederal audit organizations can receive a rating of pass, pass with deficiencies, or fail. In\nour opinion, the DeCA Office of Internal Audit organization\xe2\x80\x99s system of quality control\nfor audits was suitably designed in accordance with the quality standards established by\nGAGAS. Accordingly, we are issuing a pass opinion on DeCA\xe2\x80\x99s Office of Internal Audit\norganization\xe2\x80\x99s system of quality control for the review period ended July 31, 2011.\n\nAppendix A contains background, comments, observations, and recommendations for\nDeCA Office of Internal Audit to improve its quality control system. Appendix B\ncontains a summary of the results of our interviews with the DeCA Office of Internal\nAudit staff. Appendix C contains the scope and methodology of the review.\n\x0cWe appreciate the courtesies extended to the audit staff. For additional information on\nthis report, please contact Mr. Robert L. Kienitz at (703) 604-8754 (DSN 664-8754).\n\n\n\n\n                               Assistant Inspector General\n                             for Audit Policy and Oversight\n\x0cAppendix A. Background, Comments,\nObservations, and Recommendations\nBackground\nDefense Commissary Agency\nThe Defense Commissary Agency (DeCA), established on October 1, 1991, operates a\nworldwide chain of commissaries in 13 countries and two U.S. territories, providing\ngroceries to military personnel, retirees, and their families. As of September 30, 2011,\nDeCA had 248 stores with total FY 2011 sales of $5.9 billion. DeCA is headquartered at\nFort Lee, Virginia, employs approximately 17,000 employees, and serves approximately\n12 million customers.\n\nDeCA Internal Audit Organization\nThe DeCA Office of Internal Audit, an independent office within DeCA, reports directly\nto the Director and Chief Executive Officer, DeCA. It provides independent and\nobjective internal audit services through an appropriate mix of performance, compliance,\nand financial audits. It initiates and conducts audits relating to DeCA programs and\noperations, and reports the results. The office consists of a Director, Deputy Director\n(currently vacant), one administrator, and eight auditors. During our review period,\nDeCA filled the vacant director\xe2\x80\x99s position. The office also published its first audit\nmanual, DeCA Manual 90-5.1, \xe2\x80\x9cDeCA Internal Audit Manual,\xe2\x80\x9d on August 10, 2011,\nimplementing generally accepted government auditing standards (GAGAS).\n\nComments, Observations, and Recommendations\nWe are issuing a pass opinion because we determined that the system of quality control\nfor the DeCA Office of Internal Audit is adequately designed and functioning as\nprescribed. The findings we identified during our review of the selected audit reports\nwere not cumulatively significant enough to rise to the level of deficiency or significant\ndeficiency based on our opinion and as defined by the Council of the Inspectors General\non Integrity and Efficiency Guide for Conducting External Peer Reviews of the Audit\nOrganizations of Federal Offices of Inspector General.\n\nWe judgmentally selected four reports 1 to review for compliance with GAGAS in nine\nareas: quality control, independence, professional judgment, competence, audit\nplanning, supervision, evidence, audit documentation, and reporting. We identified five\nareas with findings relating to quality control, independence, audit planning, supervision,\nand audit documentation.\n\n\n\n\n1\n  One of the four reports, misclassified a performance audit, was actually a nonaudit service. GAGAS\nstandards do not cover nonaudit services, except for evaluating organizational independence when\nperforming such a service.\n\n                                                   1\n\x0cQuality Control System\nGAGAS, version 2007, 2 paragraph 3.52, requires each audit organization to document its\nquality control procedures and communicate those procedures to its personnel. Our\nreview covered the period August 1, 2009 to July 31, 2011. During this period, the\nDeCA Office of Internal Audit quality control system consisted of a draft internal audit\nmanual.\n\nThe DeCA Office of Internal Audit published DeCA Manual (DeCAM) 90-5.1, \xe2\x80\x9cDeCA\nInternal Audit Manual,\xe2\x80\x9d on August 10, 2011. Although this manual was published 10\ndays after the cutoff of our review period, we chose to review it to determine whether it\nadequately implemented GAGAS. The manual did not contain a section implementing\nGAGAS general standards of independence, professional judgment, competence, and\nquality control and assurance.\n\nThe manual also lacked policies and procedures for performing nonaudit services. One\nof the reports we reviewed was a nonaudit service; however, documentation contained in\nthe project revealed confusion on the auditors\xe2\x80\x99 part as to whether this project was a\nperformance audit or a nonaudit service. For example, the project review plan stated that\nthis was an audit and the Independent Reference Review certification, signed by the\nAuditor-in-Charge, the Independent Reference Reviewer, and the Audit Manager, stated\nthat this audit was done in compliance with GAGAS. However, the final report did not\ncontain a statement that the project was done in compliance with GAGAS, which was\ncorrect for a nonaudit service. Without proper policies and procedures, auditors had\ndifficulty determining the type of project they were performing.\n\nRecommendations, Management Comments, and Our\nResponse\nRecommendations\nWe recommend that the Director, DeCA:\n\n    1. Revise DeCAM 90-5.1, \xe2\x80\x9cDeCA Internal Audit Manual,\xe2\x80\x9d to include a section\n       to fully implement the independence, professional judgment, competence,\n       and quality control and assurance standards contained in the general\n       standards section of GAGAS.\n\nManagement Comments\nThe Director, DeCA concurred. The DeCA Internal Audit Manual (DeCAM 90-5.1) has\nbeen revised to include sections on independence, professional judgment, competence,\nand quality control.\n\n\n2\n The newest version of GAGAS is dated December 2011. However, for this review, we were required to\nuse the July 2007 version of GAGAS, as it covered the period of our review, August 1, 2009 to July 31,\n2011.\n\n                                                   2\n\x0cOur Response\nThe Director, DeCA comments were responsive and the actions meet the intent of the\nrecommendation.\n\n   2. Revise DeCAM 90-5.1, \xe2\x80\x9cDeCA Internal Audit Manual,\xe2\x80\x9d to include guidance\n      on the performance of nonaudit services.\n\nManagement Comments\nThe Director, DeCA concurred. The DeCA Internal Audit Manual (DeCAM 90-5.1) has\nbeen revised to include a section on nonaudit services.\n\nOur Response\nThe Director, DeCA comments were responsive and the actions meet the intent of the\nrecommendation.\n\nIndependence\nPersonal Independence\nTwo of the projects reviewed did not contain personal independence statements.\nGAGAS, version 2007, paragraph 3.08.f, requires audit organizations to maintain\ndocumentation of the steps taken to identify potential impairments to personal\nindependence. The DeCA Office of Internal Audit required all audit staff to complete an\nannual independence statement and file the statements in quasi-official personnel folders\nheld by the office administrator. However, not all project folders contained a copy of\nthese independence statements. Because some projects did not contain the required\nstatements, external reviewers had to determine the independence of all auditors assigned\nto each project. At the time of our site visit in January 2012, a new policy was in effect at\nthe DeCA Office of Internal Audit to create a new independence statement for each new\nproject and place that statement in the project documentation; therefore, we have no\nrecommendations.\n\nOrganizational Independence\nDeCA Office of Internal Audit performed two nonaudit service projects during the period\nof our review. The files for the projects titled \xe2\x80\x9cValue of the Commissary Benefit Study\xe2\x80\x9d\nand \xe2\x80\x9cVendor Credit Memorandum, Little Creek Commissary\xe2\x80\x9d did not contain the\nrequired documented analysis showing that providing this service would not impair the\nDeCA Office of Internal Audit\xe2\x80\x99s organizational independence. GAGAS, version 2007,\nparagraph 1.34, states that audit organizations that provide nonaudit services must\nevaluate whether providing nonaudit services creates an independence impairment either\nin fact or appearance with respect to the entities they audit. Further, GAGAS, version\n2007, paragraph 3.30.a, states that the audit organization should document its\nconsideration of nonaudit services, including its conclusions about the impact on\nindependence. This evaluation should always be performed when the decision is made to\nperform a nonaudit service to ensure the consideration of potential for an independence\nimpairment. Although the DeCA Office of Internal Audit draft internal audit manual did\n\n                                             3\n\x0cnot contain guidance on the performance of nonaudit services, we did not identify any\norganizational independence impairment issues.\n\nRecommendations, Management Comments, and Our\nResponse\nRecommendations\nWe recommend the Director, DeCA:\n\n   3. Revise DeCAM 90-5.1, \xe2\x80\x9cInternal Audit Manual,\xe2\x80\x9d to include guidance on how\n      to evaluate and document organizational independence when deciding\n      whether to perform a nonaudit service.\n\nManagement Comments\nThe Director, DeCA concurred. The DeCA Internal Audit Manual (DeCAM 90-5.1) has\nbeen revised to include guidance on evaluating and documenting organizational\nindependence when determining to perform a nonaudit service.\n\nOur Response\nThe Director, DeCA comments were responsive and the actions meet the intent of the\nrecommendation.\n\n   4. Ensure that the files of any future nonaudit service performed by the DeCA\n      Office of Internal Audit contain the required documented evaluation\n      concerning organizational independence.\n\nManagement Comments\nThe Director, DeCA concurred. DeCA Office of Internal Audit created a nonaudit\nservice statement that is to be completed by the auditors and filed in the project.\n\nOur Response\nThe Director, DeCA comments were responsive and the actions meet the intent of the\nrecommendation.\n\nAudit Planning\nTwo of the projects we reviewed had audit planning issues. GAGAS, version 2007,\nparagraph 7.11, states that auditors should assess audit risks that are significant within the\ncontext of the audit objective by gaining an understanding of the following:\n\n   \xe2\x80\xa2   the nature and profile of the programs and the needs of potential users of the audit\n       report,\n\n   \xe2\x80\xa2   internal control as it relates to the specific objectives and scope of the audit, and\n\n                                              4\n\x0c   \xe2\x80\xa2   information systems controls for assessing audit risk and planning the audit.\n\nFurther, GAGAS, version 2007, paragraph 7.30, requires auditors to assess risks of fraud\noccurring that are significant within the context of the audit objectives.\n\nFor the \xe2\x80\x9cFront-End Operations Fraud Indicators\xe2\x80\x9d audit, we did not identify any working\npapers supporting that an assessment of audit risks was performed. Specifically, no\nsupport existed that the auditors gained an understanding of the nature and profile of the\nprograms and needs of potential users, internal control, and the information systems\ncontrols. Assessing audit risks provides auditors reasonable assurance that the evidence\nthey obtain is sufficient and appropriate to support their findings and conclusions.\n\nThe DeCA auditors did not perform fraud risk assessments for the \xe2\x80\x9cFront-End Operations\nFraud Indicators\xe2\x80\x9d and \xe2\x80\x9cEquipment Installation on New Construction, Additions and\nAlterations\xe2\x80\x9d audits. For example, for the \xe2\x80\x9cFront-End Operations Fraud Indicators\xe2\x80\x9d audit,\nthe audit guide documented the following as one of the audit objectives: \xe2\x80\x9cthe audit will\nfocus on ensuring that controls are in place and operating as intended to help mitigate\nfraudulent activities.\xe2\x80\x9d However, there were no working papers supporting that a fraud\nrisk assessment was performed for this audit.\n\nRecommendation, Management Comments, and Our\nResponse\nRecommendation\n\n   5. We recommend that the Director, DeCA ensure that auditors perform and\n      document assessments of audit risks and fraud risks.\n\nManagement Comments\nThe Director, DeCA concurred. The DeCA Office of Internal Audit created mandatory\nsteps within the TeamMate template for all auditors to evaluate audit and fraud risks.\n\nOur Response\nThe Director, DeCA comments were responsive and the actions meet the intent of the\nrecommendation.\n\nSupervision\nOne project reviewed lacked adequate documentation of supervision. GAGAS, version\n2007, paragraph 7.80c, states that auditors should document evidence of supervisory\nreview, before the audit report is issued, for the work performed that supports findings,\nconclusions, and recommendations contained in the audit report.\n\nFor the \xe2\x80\x9cFront-End Operations Fraud Indicators\xe2\x80\x9d audit, only 1 of the 24 working papers\nprepared by the auditors was evidenced as reviewed by a supervisor. Twenty-two of the\n\n                                             5\n\x0cworking papers were shown as \xe2\x80\x9cIn Progress,\xe2\x80\x9d and 1 was shown as \xe2\x80\x9cPrepared\xe2\x80\x9d in\nTeamMate 3. Seven of the working papers not evidenced as reviewed by a supervisor\nsupported the findings, conclusions, and recommendations in the report.\n\nRecommendations, Management Comments, and Our\nResponse\nRecommendation\n\n    6. We recommend that the Director, DeCA, provide training on documenting\n       supervision to all individuals who supervise audit projects and on signing\n       working papers and reports.\n\nManagement Comments\nThe Director, DeCA concurred. The DeCA Office of Internal Audit has completed\ntraining on the use of TeamMate thus improving oversight.\n\nOur Response\nThe Director, DeCA comments were responsive and the actions meet the intent of the\nrecommendation.\n\nAudit Documentation\nAll projects reviewed had issues with the adequacy of audit documentation. GAGAS,\nversion 2007, paragraph 7.77, states:\n\n        Auditors should prepare audit documentation in sufficient detail to enable an\n        experienced auditor, having no previous connection to the audit, to understand\n        from the audit documentation the nature, timing, extent, and results of audit\n        procedures performed, the audit evidence obtained and its source and the\n        conclusions reached, including evidence that supports the auditors\xe2\x80\x99 significant\n        judgments and conclusions.\n\nFurther, GAGAS, version 2007, paragraph 7.80.b, requires documented evidence of work\nperformed.\n\nFor the \xe2\x80\x9cReview of Wrongfully Terminated Associate\xe2\x80\x99s Medical Expenses\xe2\x80\x9d audit, the\nterm \xe2\x80\x9cN/A\xe2\x80\x9d (not applicable) was documented in the Scope, Results, and Conclusion\nsections for three individual working papers. For the Scope section, we would expect to\nsee the specific time frame reviewed. In addition, for the Results and Conclusion section,\nwe would expect to see the results for the review of prior audit coverage and whether this\nwould be incorporated into the preparation of the audit program.\n\n3\n TeamMate is the electronic audit management system that DeCA Office of Internal Audit uses to prepare\nand store their working papers, findings, documentation supporting analysis and conclusions, and audit\nreports. Additional TeamMate information can be found at www.cchteammate.com.\n\n                                                   6\n\x0cFor the \xe2\x80\x9cFront-End Operations Fraud Indicators\xe2\x80\x9d audit, the Source was not documented\nfor 11 individual working papers, the Conclusion was not documented for five individual\nworking papers, and the Results/Discussion was not documented for two individual\nworking papers. These working papers supported the findings, conclusions, and\nrecommendations in the report. For example, one of the working papers prepared by the\nauditors was to document the information systems used by DeCA to process data.\nFinally, 22 working papers were created by the auditor but were not signed off as\ncompleted. Seven of those working papers support the report. Examples include the\nworking papers prepared documenting the review and analysis of coupon acceptance and\nredemption activities at the four commissaries visited by the audit team.\n\nFor the \xe2\x80\x9cEquipment Installation on New Construction, Additions and Alterations\xe2\x80\x9d audit,\nthe project documentation was lacking sufficient detail for another auditor to perform the\nsteps and come to the same conclusion. For example, a client-provided spreadsheet was\ncompared to an online database for accuracy; however, no evidence, such as screen shots,\nof the online database was documented to validate the accuracy of the data in the\nspreadsheet, and because the database changes on a daily basis, it could not be recreated\nfor the moment that it was used for validation. In addition, cross referencing throughout\nthe project could have been better to allow another auditor to easily follow the work\nperformed.\n\nRecommendation, Management Comments, and Our\nResponse\nRecommendation\n\n   7. We recommend that the Director, DeCA, provide training on audit\n      documentation, cross referencing, and use of TeamMate.\n\nManagement Comments\nThe Director, DeCA concurred. The DeCA Office of Internal Audit auditors completed\ntraining on audit documentation, cross referencing, and in the use of the TeamMate\nsoftware.\n\nOur Response\nThe Director, DeCA comments were responsive and the actions meet the intent of the\nrecommendation.\n\n\n\n\n                                            7\n\x0cAppendix B. Summary of Interview Results\nRelating to DeCA Audit Policies and GAGAS\nWe interviewed the DeCA Office of Internal Audit Director and eight DeCA staff\nmembers to determine their knowledge of DeCA audit policies and GAGAS. The\ninterviews consisted of questions related to the DeCA Office of Internal Audit policies\nand GAGAS fieldwork and reporting standards. A summary of the results of the\nresponses received follows:\n\nAreas Pertaining to DeCA Office of Internal               Staff Responses to Questions\n  Audit Policies and GAGAS Standards\n   1. Awareness of DeCA Office of Internal        All staff were aware of the audit policies.\n       Audit Policies\n   2. Compliance with GAGAS                       Most staff stated that their work complied with\n                                                  GAGAS standards.\n   3. Independence                                All staff stated that they did not encounter any\n                                                  external or organizational independence\n                                                  impairments when performing their work.\n\n                                                  All staff stated that they did not perform any\n                                                  nonaudit services that could impact\n                                                  independence.\n   4. Competence                                  Staff responses indicated that the competency\n                                                  requirement was fulfilled.\n   5. Quality Control and Assurance               Depending on the years of auditing experience\n                                                  and length of employment at the DeCA Office\n                                                  of Internal Audit, answers varied from\n                                                  extensive to minimal understanding of quality\n                                                  control procedures.\n   6. Planning (Key Decisions)                    Staff involved with audit planning documented\n                                                  key planning decisions and communicated with\n                                                  the client throughout the planning phase.\n   7. Planning (Fraud)                            Most staff stated that risk assessments were not\n                                                  consistently performed before DeCA Manual\n                                                  90-5.1 was published in August 2011. DeCA\n                                                  Manual 90-5.1 requires risk assessments to be\n                                                  performed for each audit.\n   8. Supervision                                 All staff stated that they received or provided\n                                                  adequate supervision.\n   9. Audit Documentation                         Staff provided examples of activities to show\n                                                  that audit reports are properly supported.\n   10. Evidence                                   Staff provided examples to show that audit\n                                                  evidence is supported in the final audit report.\n   11. Reporting (Timeliness)                     The staff provided examples of activities to\n                                                  show that information provided in reports are\n                                                  current and relevant.\n\n\n\n                                              8\n\x0cAppendix C. Scope and Methodology\nWe reviewed the adequacy of the DeCA\xe2\x80\x99s Office of Internal Audit compliance with\nquality policies, procedures, and standards. In performing our review, we considered the\nrequirements of quality control standards contained in the July 2007 Revision of GAGAS\nissued by the Comptroller General of the United States. GAGAS 3.56 states:\n\n       The audit organization should obtain an external peer review sufficient in scope\n       to provide a reasonable basis for determining whether the audit organization is\n       complying with its quality control system in order to provide the audit\n       organization with reasonable assurance of conforming with applicable\n       professional standards.\n\nWe performed this review from August 2011 to June 2012 in accordance with standards\nand guidelines established in the March 2009 Council of the Inspectors Generals on\nIntegrity and Efficiency Guide for Conducting External Peer Reviews of the Audit\nOrganizations of Federal Offices of Inspector General. In performing this review, we\nassessed, reviewed, and evaluated audit documentation, interviewed DeCA Office of\nInternal Audit auditors, and reviewed DeCA Office of Internal Audit internal policies that\nwere officially published on August 10, 2011.\n\nWe judgmentally selected four audit reports from a universe of 14 reports issued by the\nOffice of Internal Audit during the period of August 1, 2009 to July 31, 2011. In\nselecting reports, we worked with the DeCA Office of Internal Audit to establish the\nuniverse of reports that were issued during the review period. We then selected audits\nthat were more recent to review the most current quality assurance procedures being\nused, and we chose a variety of audits to ensure we reviewed multiple types of projects.\n\nThe following table identifies the specific reports reviewed. The Type of Review column\ncontains information that was determined by the report GAGAS compliance statement\nand/or type of review described in the final report.\n\n\n\n\n                                                  9\n\x0c      Report Number                      Report Title and          Type of Review\n                                            Issue Date\n       DeCA IR 11-04                   Review of Wrongfully         Performance\n                                      Terminated Associate\xe2\x80\x99s\n                                     Medical Expenses, May 2,\n                                               2011\n       DeCA IR 11-01                 Value of the Commissary        Performance*\n                                     Benefit Study, January 6,\n                                               2011\n       DeCA IR 10-09                Front-End Operations Fraud      Performance\n                                     Indicators, November 15,\n                                               2010\n       DeCA IR 10-07                 Equipment Installation on      Performance\n                                        New Construction,\n                                     Additions and Alterations,\n                                           July 30, 2010\n*Nonaudit service incorrectly classified as a performance audit.\n\nLimitations of Review. Our review would not necessarily disclose all weaknesses in the\nsystem of quality control or all instances of noncompliance because we based our review\non selective tests. There are inherent limitations in considering the potential\neffectiveness of any quality control system. In performing most control procedures,\ndepartures can result from misunderstanding of instructions, mistakes of judgment,\ncarelessness, or other human factors. Projecting any evaluation of a quality control\nsystem into the future is subject to the risk that one or more procedures may become\ninadequate because conditions may change or the degree of compliance with procedures\nmay deteriorate.\n\n\n\n\n                                                    10\n\x0cDefense Commissary Agency, Headquarters\nComments\n\n\n\n\n                    11\n\x0c\x0c'